Tuesday, July 18, 2006

the devil made me do it

I was just reading RSnake's post on Attacking Applications Via XSS Proxies. We've toyed around with different XSS exploitation ideas for a long while, but having seen it written out, its spooky. Essentially RSnake describes how someone could hack a website, using an XSS'ed victim, with the bonus that the attackers IP never shows up in the target machines logs. The explanation is a bit complicated, the XSS proxy attack diagram makes it easier, but once it clicks you'll see how plausible and easy the idea becomes.

Another side effect of the research applies to cyber crime (hacking) cases. I've read that court have found reasonable doubt for the accused where the arguement is a trojan-horse on their machine did the hacking. Not them. The forensic investigators certianly can't rule out the possibility, because hey, the machine did have a trojan and could have done exactly that. The thing is XSS malware is able act similarly to an typical trojan horse, the main difference is the code resides in the web browser, and not present on the filesystem or memory.

What if a person wanted to frame someone using an XSS attack? For instance making their victim hack another website (ala Rsnake), DoS some government websites, or access some pedophilia. Every log in the world would say the victim did exactly that and leaves very little if any forensic evidence. Trojan defense goes out the door, for the innocent and the guilty, especially since I doubt forensic investigators are looking for XSS malware to begin with.

4 comments:

Albert
said...

I've seen this attack example in http://xss-proxy.sourceforge.net , it seems pretty similiar to the attack you describe, but it goes into using javascript and its HTML DOM manipulating capabilities to establish a connection with the victim.

By the way, thanks for commenting. For a while there I thought I was the only reader. :)

RSnake and I share lots of ideas, so its no surprise our posts and presentations overlap. The main thing he put forth in the post I meantioned, that I hadn't covered, is how to go about finding and exploiting the intended target website without the attacker leaving their IP address in the logs. His method explains a way to do. My example and explanations so far has been where the attacker does their homework up front, and then uses the victim for exploitation.

About Me

Jeremiah Grossman's career spans nearly 20 years and has lived a literal lifetime in computer security to become one of the industry's biggest names. He has received a number of industry awards, been publicly thanked by Microsoft, Mozilla, Google, Facebook, and many others for his security research. Jeremiah has written hundreds of articles and white papers. As an industry veteran, he has been featured in hundreds of media outlets around the world. Jeremiah has been a guest speaker on six continents at hundreds of events including many top universities. All of this was after Jeremiah served as an information security officer at Yahoo!